Title: Snuffleupagus 0.3.1 - Elephant Arch Date: 2018-08-20 20:45 [![snuffleupagus logo]({static}/images/sp.png)](https://snuffleupagus.readthedocs.org) We just did a new release of [Snuffleupagus](https://github.com/nbs-system/snuffleupagus/releases/tag/v0.3.1), the `0.3.1`, named **Elephant Arch**, after the cool-looking [Elephant Arch](https://www.hikestgeorge.com/elephant-arch-red-cliffs-desert-reserve/), in the [Red Cliffs national conservation area](https://www.blm.gov/programs/national-conservation-lands/utah/red-cliffs-nca). It's the second release that I didn't do myself, letting the release manager seat to my colleague [h2ess](https://github.com/he2ss), to reduce the [bus factor]( https://en.wikipedia.org/wiki/Bus_factor ) even further. # Changelog ## Improvements - [Default rules](https://github.com/nbs-system/snuffleupagus/blob/master/config/default.rules) were improved, with disabled `xxe` and *hard_rand* on, along with relaxed restrictions on what files extension can be included. Session cookies are also coming with the `SameSite` flag on, killing CSRF! - Because managing immutable websites is non-trivial, we added an option to [generate rules](https://github.com/nbs-system/snuffleupagus/blob/master/scripts/generate_rules.php) without hashes, only based on file names. - Php uses [`phar` archives]( https://secure.php.net/manual/en/book.phar.php ) for [various reasons](https://github.com/orangetw/My-CTF-Web-Challenges#babyh-master-php-2017), so we made snuffleupagus' `filename` filter accept pathes that are starting with `phar://`. ## Bug fixes - The harden rand feature was ignoring parameters in some cases, it's not the case anymore - Fix [possible crashes/hangs]( https://github.com/nbs-system/snuffleupagus/issues/189 ) when using php-fpm's pools, reported by [sriccioa](https://github.com/sriccio), who answered the resolution of the issue with "Thanks a lot for this. I've tried this in a sandbox system, now time to see how it will react on a shared hosting production server with ca. 200 pools :)" ♥ - Fix an infinite loop on echo hook, related to the previous point. - Fix an issue with filename filter, because we didn't managed to wrap our head around the multitude of functions prodived by php to deal with `zval` and `zend_string`, again. - Apparently, people are reading [our documentation]( https://snuffleupagus.readthedocs.io/ ) and found some typos for us to dix. - Arch Linux's [PKGBUILD](https://github.com/nbs-system/snuffleupagus/blob/master/PKGBUILD) is working again. If you want to help, as usual, we have some [low hanging fruits]( https://github.com/nbs-system/snuffleupagus/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22 ) ♥ See you in your PHP stack!